diff --git a/docs/refguide.xml b/docs/refguide.xml
index c71da8a21..f0b12d73a 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1308,10 +1308,17 @@ used.
sequence generation on the zombie host to glean information
about the open ports on the target. IDS systems will
display the scan as coming from the zombie machine you
- specify (which must be up and meet certain criteria). This
- fascinating scan type is too complex to fully describe in this reference
- guide, so I wrote and posted an informal paper with full details at
- .
+ specify (which must be up and meet certain criteria).
+
+ This fascinating scan type is too complex to fully describe in this
+ reference guide, so I wrote and posted an informal paper with full
+ details at .
+
+
+ Full details of this fascinating scan type are in
+ .
+
+
Besides being extraordinarily stealthy (due to its
blind nature), this scan type permits mapping out
@@ -1573,10 +1580,16 @@ way.
it does with open ports), and change the state to open if it
succeeds. open|filtered TCP ports are treated
the same way. Note that the Nmap option
- enables version detection among other things. A paper documenting
- the workings, usage, and customization of version detection is
- available at .
+ enables version detection among other things.
+
+ A paper documenting the workings, usage, and customization of version
+ detection is available at
+ .
+
+
+ Version detection is described in detail in .
+
+
When Nmap receives responses from a service but cannot match
them to its database, it prints out a special fingerprint and
@@ -1764,9 +1777,16 @@ way.
vulnerable to several advanced information gathering and
spoofing attacks.
- A paper documenting the workings, usage, and customization
- of OS detection is available at .
+
+
+ A paper documenting the workings, usage, and customization of OS
+ detection is available at
+ .
+
+
+ OS detection is covered in .
+
+ OS detection is enabled and controlled with the following options:
@@ -1853,11 +1873,13 @@ way.
network handling with the versatility of the lightweight scripting language
Lua, thus providing innumerable
opportunities. A more extensive documentation of the NSE (including its
- API) can be found at: . The
- target of the NSE is to provide Nmap with a flexible infrastructure for
- extending its capabilities and offering its users a simple way of creating
- customized tests. Uses for the NSE include (but definitely are not limited
- to):
+ API) can be found
+ at .
+ in .
+ The target of the NSE is to provide Nmap with a flexible infrastructure
+ for extending its capabilities and offering its users a simple way of
+ creating customized tests. Uses for the NSE include (but definitely are
+ not limited to):
Enhanced version detection (category
@@ -1926,7 +1948,9 @@ way.
you are not required to follow this for the moment, this may change in the
future. Nmap will issue a warning if a file has any other extension.
More extensive documentation on the NSE, including a description of its API
- can be found at .
+ can be found
+ at .
+ in .